Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Passwords aren't the problem -- we are

Roger A. Grimes | Aug. 14, 2014
A billion stolen passwords or no, we can all benefit from exercising common sense when it comes to online security.

The world is abuzz with news that a Russian hacker conglomerate may have stolen more than 1.2 billion email addresses and passwords. Whether or not the report turns out to be true, with all the ways the bad guys can get your credentials, you're fooling yourself if you think you don't have to worry about ever being compromised.

But I'm not here to tell you use stronger passwords (for the most part, that doesn't work), to only use two-factor authentication (not available on most websites), or to change all your passwords (though you probably should).

The fact is that long and strong passwords, for the most part, don't work. The bad guys' methods for stealing them will prevail, no matter how good your password. Even if your logon credentials aren't caught up in batch of stolen passwords making the latest news headlines, chances are that one or more of your passwords have been stolen or will be stolen in the near future. It's the Internet, and it's very insecure. It's a dangerous, wild, wild, West often controlled by outlaws and criminals. It's going to remain that way for the foreseeable future.

Instead, I'll encourage each of you to send a letter to all your friends and the businesses you engage with. I'm more than half-kidding, but I think if our friends and businesses used more common sense, we would all be safer. Here's my letter:

Dear friends and businesses,

There is a good chance that all of our Internet passwords are already stolen. In light of that assumption, let me share what the real me would not do, along with other hints. That way, if you get an email or commercial transaction supposedly from me, you'll be able to quickly separate the legitimate wheat from the rogue chaff. Here are my hints:

For businesses:

  • I will not ever buy a product and have it shipped to another country.
  • If I buy any product and ask you to ship it to anywhere besides my long-held home address, you have permission to call me on my long-held phone number to verify.
  • I will never change my mailing address, phone number, and email address, then also transfer all my money to another bank within the same day, much less same Web session.
  • You should never transfer all my money to another bank or country without first calling my long-held phone number.
  • I will never sell all my stock, at a loss, and try to transfer the money to a foreign bank during the same day.
  • I will not call you reset my online password and be unable to easily verify information such as my last transaction, purchase, user, or origination location of the last session.
  • My debit and credit cards have my picture on them. If I'm buying in person, I should at least look like a little like my picture.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.